In addition to the federal student privacy laws, many state student privacy laws have been passed in recent years.
In 2014, 110 bills were introduced on student data privacy in 36 states, with 24 signed into law. In 2015, more than 180 student privacy bills were introduced, of which 28 became laws. So far in 2016, 36 states have introduced 112 bills, of which 16 passed in 14 states, according to the Data Quality Campaign.
- A useful state-by-state summary is available in the State Student Privacy Law Compendium (Oct. 2016), a joint project between Center for Democracy & Technology (CDT) and BakerHostetler.
- The Software & Information Industry Association offers this Comparison Chart of 2015 State Laws modeled after the CA law SOPIPA (see below) and a Comparison Chart of 2014 Laws .
- Snell and Wilner also has a summary of some notable state student privacy laws, posted Feb. 2017.
Links to some recent state laws are below, including some not included in the above summaries. The longer descriptions are from the National Conference of State Legislatures. You should check out their website as well as back here for updates.
- California : SB 1177 or Student Online Personal Information Protection Act (SOPIPA) (2014). Summary by Cooley LLP. SOPIPA prohibits an operator of a website, online service, online application or mobile application from knowingly engaging in targeted advertising to students or their parents or legal guardians. These services and applications also may not use covered information to amass a profile about a K-12 student, sell a student’s information or disclose covered information. The law also addresses security procedures and practices of covered information in order to protect information from unauthorized access, destruction, use, modification or disclosure. A very comprehensive guide was released in Nov. 2016 by the CA Attorney General office on SOPIPA as well as the two other CA student privacy laws listed below. Also see the Data Privacy Guide (2015) on CA student privacy laws, produced by CETPA, the CCSESA and Fagen Friedman & Fulfrost.
- California: AB-1584 (2014) Pupil records: privacy: 3rd-party contracts: digital storage services and digital educational software. Now incorporated as CA Education Code Section 49073.1
- California: AB-2799 (2016) Privacy: personal information: preschool and prekindergarten purposes. Applies student privacy protections to preschool personal data.
- Colorado: HB14-1294 (2014); the Student Data Privacy Act, requires the State Board of Education to publish an inventory of the individual student data currently in the student data system as required by state and federal education mandates, as well as any student data proposed for inclusion in this system. It prohibits the Department of Education from providing individual student data to other organizations or agencies outside the state except under specified circumstances.
- Georgia: SB 89 (2015), the Student Data Privacy, Accessibility and Transparency Act, requires an inventory of data elements being collected, including a reason for why each is collected; gives parents rights to review their child’s education record and requires schools to provide electronic copies of student records to their parents upon request; requires development of a data security plan for the state data system; requires technology providers working with schools to develop appropriate security procedures and prohibits them from selling personal information about students or using it for targeted advertising; and provides for the Department of Education to designate a Chief Privacy Officer.
- Idaho: SB 1372 (2014), the Student Data Accessibility, Transparency and Accountability Act of 2014, requires the State Board of Education to create, publish and make publicly available a data inventory that defines individual student data fields included in the student data system. The index must include any individual student data required to be reported by state and federal education mandates; any individual student data proposed for inclusion in the student data system with a statement explaining the reason for inclusion; and any individual student data collected or maintained with no current purpose or reason. The board is required to ensure that any contracts that govern databases, online services, assessments or instructional supports that include student data and are outsourced to private vendors, include express provisions that safeguard privacy and security, contain the restrictions on secondary uses of student data, and provide for data destruction. The act also includes penalties for noncompliance.
- Illinois: Illinois School Student Records Act (ISSRA) (105 ILCS 10/1) (1975) : an older law which notably allows for a private right of action if a student’s privacy rights are violated by a school or district. More on this law here.
- Oklahoma: HB 1989 (2013), the Student Data Accessibility, Transparency and Accountability Act, requires public reporting of which student data are collected by the state, mandates creation of a statewide student data security plan, and limits the data that can be collected on individual students and how that data can be shared. It establishes new limits on the transfer of student data to federal, state, or local agencies and organizations outside Oklahoma. It also restricts the state from requesting delinquency records, criminal records, medical and health records, social security numbers and biometric information as part of student data collected from local schools and districts.
- Rhode Island: HB 7124 (2014) limits the use of student data and information obtained by cloud computing service providers when providing services to K-12 educational institutions. It also prohibits the use of such data for commercial purposes, including advertising that benefits the service provider.
- West Virginia: HB 4316 (2014) outlines state, district and school responsibilities for data inventory and provides for a data governance officer. It requires the State Board of Education to develop guidelines for school districts, requiring them to notify parents of their right to request student information and allow parents to access data specific to their child’s educational record; ensure security when providing student data to parents; make sure student data is provided only to authorized individuals; and detail the time frame within which record requests must be provided.
State Social Media Legislation
Illinois (allows schools to request access to personal accounts)
Illinois (bill introduced requiring schools districts to seek a court order to access personal accounts)